The threat actor known as Transparent Tribe has been attributed to a fresh set of attacks targeting Indian governmental, academic, and strategic entities with a remote access trojan (RAT) that grants them persistent control over compromised hosts.
“The campaign employs deceptive delivery techniques, including a weaponized Windows shortcut (LNK) file masquerading as a legitimate PDF document and embedded with full PDF content to evade user suspicion,” CYFIRMA said in a technical report.
Transparent Tribe, also called APT36, is a hacking group that’s known for mounting cyber espionage campaigns against Indian organizations. Assessed to be of Indian origin, the state-sponsored adversary has been active since at least 2013.
The threat actor boasts of an ever-evolving arsenal of RATs to realize its goals. Some of the trojans put to use by Transparent Tribe in recent years include CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT.
The latest set of attacks began with a spear-phishing email containing a ZIP archive with a LNK file disguised as a PDF. Opening the file triggers the execution of a remote HTML Application (HTA) script using “mshta.exe” that decrypts and loads the final RAT payload directly in memory. In tandem, the HTA downloads and opens a decoy PDF document so as not to arouse users’ suspicion.
“After decoding logic is established, the HTA leverages ActiveX objects, particularly WScript.Shell, to interact with the Windows environment,” CYFIRMA noted. “This behavior demonstrates environment profiling and runtime manipulation, ensuring compatibility with the target system and increasing execution reliability techniques commonly observed in malware abusing ‘mshta.exe.’”
A noteworthy aspect of the malware is its ability to adapt its persistence method based on the antivirus solutions installed on the infected machine –
- If Kapsersky is detected, it creates a working directory under “C:\Users\Public\core\,” writes an obfuscated HTA payload to disk, and establishes persistence by dropping a LNK file in the Windows Startup folder that, in turn, launches the HTA script using “mshta.exe”
- If Quick Heal is detected, it establishes persistence by creating a batch file and a malicious LNK file in the Windows Startup folder, writing the HTA payload to disk, and then calling it using the batch script
- If Avast, AVG, or Avira are detected, it works by directly copying the payload into the Startup directory and executing it
- If no recognized antivirus solution is detected, it falls back to a combination of batch file execution, registry based persistence, and payload deployment prior to launching the batch script
The second HTA file includes a DLL named “iinneldc.dll” that functions as a fully-featured RAT, supporting remote system control, file management, data exfiltration, screenshot capture, clipboard manipulation, and process control.
“APT36 (Transparent Tribe) remains a highly persistent and strategically driven cyber-espionage threat, with a sustained focus on intelligence collection targeting Indian government entities, educational institutions, and other strategically relevant sectors,” the cybersecurity company said.
In recent weeks, APT36 has also been linked to another campaign that leverages a malicious shortcut file disguised as a government advisory PDF (“NCERT-Whatsapp-Advisory.pdf.lnk”) to deliver a .NET-based loader, which then drops additional executables and malicious DLLs to establish remote command execution, system reconnaissance, and long-term access.
The shortcut is designed to execute an obfuscated command using cmd.exe to retrieve an MSI installer (“nikmights.msi”) from a remote server (“aeroclubofindia.co[.]in”), which is responsible for initiating a series of actions –
- Extract and display a decoy PDF document to the victim
- Decode and write DLL files to “C:\ProgramData\PcDirvs\pdf.dll” and “C:\ProgramData\PcDirvs\wininet.dll”
- Drop “PcDirvs.exe” to the same the same location and execute it after a delay of 10 seconds
- Establish persistence by creating “PcDirvs.hta” that contains Visual Basic Script to make Registry modifications to launch “PcDirvs.exe” every time after system startup
It’s worth pointing out that the lure PDF displayed is a legitimate advisory issued by the National Cyber Emergency Response Team of Pakistan (PKCERT) in 2024 about a fraudulent WhatsApp message campaign targeting government entities in Pakistan with a malicious WinRAR file that infects systems with malware.
The DLL “wininet.dll” connects to a hard-coded command-and-control (C2) infrastructure hosted at dns.wmiprovider[.]com. It was registered in mid-April 2025. The C2 associated with the activity is currently inactive, but the Windows Registry-based persistence ensures that the threat can be resurrected at any time in the future.
“The DLL implements multiple HTTP GET–based endpoints to establish communication with the C2 server, perform updates, and retrieve attacker-issued commands,” CYFIRMA said. “To evade static string detection, the endpoint characters are intentionally stored in reversed order.”
The list of endpoints is as follows –
- /retsiger (register), to register the infected system with the C2 server
- /taebtraeh (heartbeat), to beacon its presence to the C2 server
- /dnammoc_teg (get_command), to run arbitrary commands via “cmd.exe”
- /dnammocmvitna (antivmcommand), to query or set an anti-VM status and likely adjust behavior
The DLL also queries installed antivirus products on the victim system, turning it into a potent tool capable of conducting reconnaissance and gathering sensitive information.
Patchwork Linked to New StreamSpy Trojan
The disclosure comes weeks after Patchwork (aka Dropping Elephant or Maha Grass), a hacking group believed to be of Indian origin, was linked to attacks targeting Pakistan’s defense sector with a Python-based backdoor that’s distributed via phishing emails containing ZIP files, according to security researcher Idan Tarab.
Present within the archive is an MSBuild project that, when executed via “msbuild.exe,” deploys a dropper to ultimately install and launch the Python RAT. The malware is equipped to contact a C2 server and run remote Python modules, execute commands, and upload/download files.
“This campaign represents a modernized, highly obfuscated Patchwork APT toolkit blending MSBuild LOLBin loaders, PyInstaller‑modified Python runtimes, marshalled bytecode implants, geofencing, randomized PHP C2 endpoints, [and] realistic persistence mechanisms,” Tarab said.
As of December 2025, Patchwork has also been associated with a previously undocumented trojan named StreamSpy, which uses WebSocket and HTTP protocols for C2 communication. While the WebSocket channel is used to receive instructions and transmit the execution results, HTTP is leveraged for file transfers.
StreamSpy’s links to Patchwork, per QiAnXin, stem from its similarities to Spyder, a variant of another backdoor named WarHawk that’s attributed to SideWinder. Patchwork’s use of Spider dates all the way back to 2023.
Distributed via ZIP archives (“OPS-VII-SIR.zip”) hosted on “firebasescloudemail[.]com,” the malware (“Annexure.exe“) can harvest system information, establish persistence via Windows Registry, scheduled task, or via a LNK file in the Startup folder, communicate with the C2 server using HTTP and WebSocket. The list of support commands is below –
- F1A5C3, to download a file and open it using ShellExecuteExW
- B8C1D2, to set the shell for command execution to cmd
- E4F5A6, to set the shell for command execution to PowerShell
- FL_SH1, to close all shells
- C9E3D4, E7F8A9, H1K4R8, C0V3RT, to download encrypted zip files from the C2 server, extract them, and open them using ShellExecuteExW
- F2B3C4, to gather information about the file system and all disks connected to the device
- D5E6F7, to perform file upload and download
- A8B9C0, to perform file upload
- D1E2F3, to delete a file
- A4B5C6, to rename a file
- D7E8F9, to enumerate a specific folder
QinAnXin said the StreamSpy download site also hosts Spyder variants with extensive data collection features, adding the malware’s digital signature exhibits correlations with a different Windows RAT called ShadowAgent attributed to the DoNot Team (aka Brainworm). Interestingly, 360 Threat Intelligence Center flagged the same “Annexure.exe” executable as ShadowAgent in November 2025.
“The emergence of the StreamSpy Trojan and Spyder variants from the Maha Grass group indicates that the group is continuously iterating its arsenal of attack tools,” the Chinese security vendor said.
“In the StreamSpy trojan, attackers attempt to use WebSocket channels for command issuance and result feedback to evade detection and censorship of HTTP traffic. Additionally, the correlated samples further confirm that the Maha Grass and DoNot attack groups have some connections in terms of resource sharing.”
